Re: [Int-area] Re: [dhcwg] Discussion of subscriber authentication
"Julien Bournelle" <julien.bournelle@gmail.com> Fri, 30 March 2007 08:21 UTC
Return-path: <int-area-bounces@lists.ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1HXCMi-0001AF-VS; Fri, 30 Mar 2007 04:21:44 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1HXCMg-0001A1-En for Int-area@lists.ietf.org; Fri, 30 Mar 2007 04:21:42 -0400
Received: from ik-out-1112.google.com ([66.249.90.183]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1HXCMf-0001Rk-Uf for Int-area@lists.ietf.org; Fri, 30 Mar 2007 04:21:42 -0400
Received: by ik-out-1112.google.com with SMTP id c21so347757ika for <Int-area@lists.ietf.org>; Fri, 30 Mar 2007 01:21:39 -0700 (PDT)
DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=YLaUN+8SAoQsVq5vEWlfuphdFiNXlTKscz7i4OzHalkLrdRmK7dQmApSLsreQwluVZ21lQxXmKqjieIZw+RE7urTiNmYZs2ZfsQUtNuXkEfDLKQ/ICx85btihcq5WyCTRWq1y1X96JgzG7KoMskLZSoA1LnN+YSKS1N/f/Fac9k=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=ZmevmL92Jsfyqw9f6DZqel0wXCggnRj9kUqiz891ma8PhWnBUjOh/KtKXFn2dezl8/YO85PjvBBDNLC23e8tfbxhqUmjv9OFg0ST6rlC1jp2aMSEFyZzp/YmMNHlStjJrl58cxOfHm5abf3bvrYzlBilHtUon7aAJVCJW/dgonA=
Received: by 10.78.179.12 with SMTP id b12mr736111huf.1175242899031; Fri, 30 Mar 2007 01:21:39 -0700 (PDT)
Received: by 10.78.168.16 with HTTP; Fri, 30 Mar 2007 01:21:38 -0700 (PDT)
Message-ID: <5e2406980703300121l4fa1bb13xcb0eef22b40b3261@mail.gmail.com>
Date: Fri, 30 Mar 2007 10:21:38 +0200
From: Julien Bournelle <julien.bournelle@gmail.com>
To: John Schnizlein <jschnizl@cisco.com>
Subject: Re: [Int-area] Re: [dhcwg] Discussion of subscriber authentication
In-Reply-To: <CE64EC79-FA87-40F8-8731-0E346A4DBB27@cisco.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
References: <8E296595B6471A4689555D5D725EBB2103A34015@xmb-rtp-20a.amer.cisco.com> <CE64EC79-FA87-40F8-8731-0E346A4DBB27@cisco.com>
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 1449ead51a2ff026dcb23465f5379250
Cc: DHC WG <dhcwg@ietf.org>, "Bernie Volz (volz)" <volz@cisco.com>, Int-area@lists.ietf.org
X-BeenThere: int-area@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IETF Internet Area Mailing List <int-area.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/int-area>, <mailto:int-area-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/int-area>
List-Post: <mailto:int-area@lists.ietf.org>
List-Help: <mailto:int-area-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/int-area>, <mailto:int-area-request@lists.ietf.org?subject=subscribe>
Errors-To: int-area-bounces@lists.ietf.org
Hi, On 3/29/07, John Schnizlein <jschnizl@cisco.com> wrote: > The authentication in RFC 3118 (for DHCPv4) and RFC 3315 (for DHCPv6) > is message authentication, not subscriber authentication. > > Message authentication is all about ensuring that the contents are > not fake, assuming that there is enough shared trust between client > and server host computers. The shared trust also serves to control > authorization to exchange DHCP messages. > > Subscriber authentication is about the user of network access, and > the user is often the person who has credentials rather than the > host, although storing user credentials on the host happens. > > The point of section 2.5 of draft-aboba-ip-config-00.txt is that > these are different: > > 2.5. Configuration is Not Access Control > > Network access authentication is a distinct problem from Internet > host configuration. right, I don't think we should overload DHCP with subscriber authentication. My 2 cents, Julien > > John > > On Mar 29, 2007, at 2:50 PM, Bernie Volz ((volz)) wrote: > > > Ralph: > > > > Isn't this discussion a bit late given that RFC 3118 exists and RFC > > 3315 > > contains Authentication? > > > > RFC 3118 abstract reads: > > > > This document defines a new Dynamic Host Configuration Protocol > > (DHCP) option through which authorization tickets can be easily > > generated and newly attached hosts with proper authorization can be > > automatically configured from an authenticated DHCP server. DHCP > > provides a framework for passing configuration information to hosts > > on a TCP/IP network. In some situations, network administrators > > may > > wish to constrain the allocation of addresses to authorized hosts. > > Additionally, some network administrators may wish to provide for > > authentication of the source and contents of DHCP messages. > > > > Other than the data used to authenticate (which in this case is a > > username and password, instead of a shared secret), what really is the > > difference? I guess it all depends on what "authorized" hosts means. > > > > RFC 3118 does have issues as it is difficult to handle client > > authentication without exposing the client's identity (since > > there's no > > good way to "delay" the authentication) -- this is discussed in > > draft-ietf-dhc-v4-threat-analysis-03.txt, section 5. > > > > One additional flaw with Rick draft's is that there's no provision to > > authenticate the server -- which means that if a client doing this is > > mobile and attaches to other networks, it may expose the username and > > password. > > > > I think Ted Lemon's point that Ric's draft should stick to the DHC > > client/server authentication communication and not mention how other > > network elements may use the end result of the DHCP exchange (i.e., > > the > > "authorization" to use the network). See > > http://www1.ietf.org/mail-archive/web/dhcwg/current/msg07138.html. > > > > If we could work this out within the RFC 3118 framework, it certainly > > would kick start DHCP authentication. > > > > - Bernie > > > > -----Original Message----- > > From: Ralph Droms (rdroms) > > Sent: Thursday, March 29, 2007 1:47 PM > > To: Int-area@lists.ietf.org > > Subject: [dhcwg] Discussion of subscriber authentication > > > > At the dhc WG meeting in Prague, there was a discussion of "subscriber > > authentication" and how that function might be provided through DHCP. > > Ric > > Pruss gave a presentation about a proposal for subscriber > > authentication > > through DHCP: > > > > http://www3.ietf.org/proceedings/07mar/slides/dhc-2.pdf > > http://www.ietf.org/internet-drafts/draft-pruss-dhcp-auth-dsl-00.txt > > > > There is a related draft that was not discussed at the dhc WG meeting: > > > > http://www.ietf.org/internet-drafts/draft-zhao-dhc-user- > > authentication-0 > > 1.tx > > t > > > > There was also a discussion of "Principles of Internet Host > > Configuration". > > Dave Thaler gave a presentation about the draft he co-authored with > > Bernard > > Aboba: > > > > http://www3.ietf.org/proceedings/07mar/slides/dhc-7.pdf > > http://www.ietf.org/internet-drafts/draft-aboba-ip-config-00.txt > > > > During the discussion of subscriber authentication, it was noted that > > the > > proposed solutions assume that DHCP is the right vehicle through which > > subscriber authentication should take place. That assumption needs to > > be > > further examined; PANA, for example, provides an alternative solution > > which > > does not depend on DHCP. Before the IETF proceeds with a DHCP-based > > solution, we need to discuss the broader issue of where subscriber > > authentication should be implemented. > > > > Accordingly, the Internet Area directors and the WG chairs have > > decided > > to > > move the discussion of subscriber authentication to the int-area > > mailing > > list. This discussion will explore the subscriber authentication > > problem > > space and requirements, to come to some initial consensus about > > where a > > solution might belong. > > > > To kick off the discussion, we are trying to get permission to publish > > subscriber authentication requirements from the DSL Forum. > > > > I've included dhcwg@ietf.org as a BCC to this note, to inform the > > dhc WG > > members that further discussion of subscriber authentication will move > > to > > int-area@lists.ietf.org. I've also included secdir@mit.edu as a > > BCC, to > > make sure we have appropriate security clue in the discussion. > > > > - Ralph > > > > > > > > > > _______________________________________________ > > dhcwg mailing list > > dhcwg@ietf.org > > https://www1.ietf.org/mailman/listinfo/dhcwg > > > > _______________________________________________ > > dhcwg mailing list > > dhcwg@ietf.org > > https://www1.ietf.org/mailman/listinfo/dhcwg > > _______________________________________________ > Int-area mailing list > Int-area@lists.ietf.org > https://www1.ietf.org/mailman/listinfo/int-area > _______________________________________________ Int-area mailing list Int-area@lists.ietf.org https://www1.ietf.org/mailman/listinfo/int-area
- [Int-area] Re: [dhcwg] Discussion of subscriber a… Ralph Droms
- [Int-area] Discussion of subscriber authentication Ralph Droms
- [Int-area] Re: [dhcwg] Discussion of subscriber a… John Schnizlein
- RE: [Int-area] Re: [dhcwg] Discussion of subscrib… Hesham Soliman
- Re: [Int-area] Re: [dhcwg] Discussion of subscrib… Julien Bournelle
- [Int-area] Re: [dhcwg] Discussion of subscriber a… Ralph Droms
- RE: [Int-area] Re: [dhcwg] Discussion of subscrib… Behcet Sarikaya
- RE: [Int-area] Re: [dhcwg] Discussion of subscrib… Behcet Sarikaya
- Re: [Int-area] Re: [dhcwg] Discussion of subscrib… Alan DeKok
- Re: [Int-area] Discussion of subscriber authentic… Behcet Sarikaya
- Re: [Int-area] Discussion of subscriber authentic… Ralph Droms
- Re: [Int-area] Discussion of subscriber authentic… Alan DeKok
- Re: [Int-area] Discussion of subscriber authentic… Behcet Sarikaya
- RE: [Int-area] Discussion of subscriber authentic… Curtis Sherbo
- RE: [Int-area] Discussion of subscriber authentic… Alper Yegin
- Re: [Int-area] Discussion of subscriber authentic… Alan DeKok
- RE: [Int-area] Discussion of subscriber authentic… Narayanan, Vidya
- Re: [Int-area] Re: [dhcwg] Discussion of subscrib… Richard Pruss
- Re: [Int-area] Re: [dhcwg] Discussion of subscrib… Alan DeKok
- Re: [Int-area] Discussion of subscriber authentic… Ralph Droms
- Re: [Int-area] Re: [dhcwg] Discussion of subscrib… Richard Pruss
- Re: [Int-area] Discussion of subscriber authentic… Richard Pruss
- Re: [Int-area] Re: [dhcwg] Discussion of subscrib… Alan DeKok
- Re: [Int-area] Re: [dhcwg] Discussion of subscrib… Richard Pruss
- RE: [Int-area] Discussion of subscriber authentic… Alper Yegin
- RE: [Int-area] Re: [dhcwg] Discussion of subscrib… Alper Yegin
- Re: [Int-area] Re: [dhcwg] Discussion of subscrib… Alan DeKok
- Re: [Int-area] Re: [dhcwg] Discussion of subscrib… Ralph Droms
- Re: [Int-area] Re: [dhcwg] Discussion of subscrib… Soininen Jonne (NSN FI/Espoo)
- Re: [Int-area] Re: [dhcwg] Discussion of subscrib… Ralph Droms
- Re: [Int-area] Re: [dhcwg] Discussion of subscrib… Richard Pruss
- Re: [Int-area] Re: [dhcwg] Discussion of subscrib… Richard Pruss
- RE: [Int-area] RE: [dhcwg] Discussion of subscrib… Alper Yegin
- RE: [Int-area] RE: [dhcwg] Discussion of subscrib… Bernie Volz (volz)
- Re: [Int-area] RE: [dhcwg] Discussion of subscrib… Alan DeKok
- Re: [Int-area] RE: [dhcwg] Discussion of subscrib… Richard Pruss
- Re: [Int-area] RE: [dhcwg] Discussion of subscrib… Alan DeKok
- Re: [Int-area] RE: [dhcwg] Discussion of subscrib… Richard Pruss
- Re: [Int-area] RE: [dhcwg] Discussion of subscrib… Alan DeKok
- Re: [Int-area] Discussion of subscriber authentic… Richard Pruss
- Re: [Int-area] Discussion of subscriber authentic… Ralph Droms